Archive

Archive for the ‘Win32/Fareit’ Category

MSRT April release features Bedep detection

As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for:

In this blog, we’ll focus on the Bedep family of trojans.

 

The bothersome Bedep

Win32/Bedep was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:

JS/Axpergle and HTML/Axpergle have been known to carry and drop Bedep around by redirecting unsuspecting users to compromised websites.

Bedep is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:

All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.

  • Collect information about your PC to send it off to the malware perpetrator
  • Update the downloaded malware

The good thing is, Windows Defender detects and removes Bedep and its variants.

This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.

BedepGeoDist3

Figure 1: The map shows Win32/Bedep’s prevalence in North America, Latin America, Europe, and South East Asia in the last six months.

 

BedepPie 

Figure 2: The pie chart shows the Bedep distribution among the top 10 countries for the past six months

 

The exploit shellcode sometimes loads Bedep directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.

It can either be installed as 32bit DLL (Backdoor:Win32/Bedep.A) or 64bit DLL (Backdoor:Win64/Bedep.A), depending on the affected Windows OS version.

This threat is initially loaded by shellcode running in an exploited browser process (for example, iexplore.exe). Then, the threat downloads a copy of itself and injects that into explorer.exe.

We have observed that the first exploit is not enough. The attacker needs more exploits to bypass the OS or browser’s layered defenses. As a precaution, you should always be careful on clicking the User Account Control (UAC) prompts.

We’ve also seen that Bedep can drop itself as %ProgramData%<{CLSID}><filename>.dll

Example path and file names: C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll.

It then creates the following registry entries:

In subkey: HKEY_CURRENT_USERCLSID%Random CLSID%InprocServer32

Example: HKEY_CURRENT_USERCLSID{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}InprocServer32

Sets value: “ThreadingModel

With data: “Apartment

Sets value: “”

With data: %Bedep Filename%

Example: “C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll

In subkey: HKEY_CURRENT_USERDriveShellExFolderExtensions%Random CLSID%

Example: HKEY_CURRENT_USERDriveShellExFolderExtensions{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

Sets value: “DriveMask

With data: dword:ffffffff

 

For details about various Bedep variants, see the following malware encyclopedia entries:

 

Mitigation and prevention

To help stay protected from Bedep and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

 

Jonathan San Jose

MMPC

MSRT April release features Bedep detection

As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for:

In this blog, we’ll focus on the Bedep family of trojans.

 

The bothersome Bedep

Win32/Bedep was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:

JS/Axpergle and HTML/Axpergle have been known to carry and drop Bedep around by redirecting unsuspecting users to compromised websites.

Bedep is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:

All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.

  • Collect information about your PC to send it off to the malware perpetrator
  • Update the downloaded malware

The good thing is, Windows Defender detects and removes Bedep and its variants.

This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.

BedepGeoDist3

Figure 1: The map shows Win32/Bedep’s prevalence in North America, Latin America, Europe, and South East Asia in the last six months.

 

BedepPie 

Figure 2: The pie chart shows the Bedep distribution among the top 10 countries for the past six months

 

The exploit shellcode sometimes loads Bedep directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.

It can either be installed as 32bit DLL (Backdoor:Win32/Bedep.A) or 64bit DLL (Backdoor:Win64/Bedep.A), depending on the affected Windows OS version.

This threat is initially loaded by shellcode running in an exploited browser process (for example, iexplore.exe). Then, the threat downloads a copy of itself and injects that into explorer.exe.

We have observed that the first exploit is not enough. The attacker needs more exploits to bypass the OS or browser’s layered defenses. As a precaution, you should always be careful on clicking the User Account Control (UAC) prompts.

We’ve also seen that Bedep can drop itself as %ProgramData%<{CLSID}><filename>.dll

Example path and file names: C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll.

It then creates the following registry entries:

In subkey: HKEY_CURRENT_USERCLSID%Random CLSID%InprocServer32

Example: HKEY_CURRENT_USERCLSID{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}InprocServer32

Sets value: “ThreadingModel

With data: “Apartment

Sets value: “”

With data: %Bedep Filename%

Example: “C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll

In subkey: HKEY_CURRENT_USERDriveShellExFolderExtensions%Random CLSID%

Example: HKEY_CURRENT_USERDriveShellExFolderExtensions{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

Sets value: “DriveMask

With data: dword:ffffffff

 

For details about various Bedep variants, see the following malware encyclopedia entries:

 

Mitigation and prevention

To help stay protected from Bedep and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

 

Jonathan San Jose

MMPC

Extracting the fare

February 14th, 2012 No comments

When malware is found lurking on a system, quite often it isn’t acting alone. Once malware distributors have control of a system, they will do everything they can to compromise the machine and the user for maximum gain — for instance, hijacking a browser’s search results, or using rogue security software to extract payments from affected users — and will try to install whatever other malware components they need to in order to make this happen.

Such is the case with Win32/Fareit, which is one of two new additions to the Microsoft Malicious Software Removal Tool (MSRT) for February 2012. Win32/Fareit is a family consisting of a password stealer and a component for performing Distributed Denial of Service (DDoS) attacks, and is often present on an affected system along with a suite of other malware.

The Distributed Denial of Service component, which we detect as DDoS:Win32/Fareit, contacts a remote server, which may instruct it to flood a target server with bogus HTTP traffic. It randomly chooses several fields of the HTTP header, in order to make it difficult for the targeted server to filter the unwanted requests. Hijacking the browser and collecting payments for rogue security software are not the only methods of profiting from an infected system, and this is where the password stealing component PWS:Win32/Fareit fits in.

When run, the malware scans the system looking for installations of popular FTP clients and cloud storage clients. Most of these allow users to cache login details for servers that they often connect to, and they store these details encrypted in configuration files or registry entries. If any of these clients are present on the system, the malware attempts to retrieve this login information from the files or registry, decrypt it, and post it to a remote server controlled by the attackers. Once they have this account information, they can log in to the compromised accounts, which often provide access to web servers, and upload other malware that they wish to distribute. You can see a list of the FTP clients and other software that PWS:Win32/Fareit targets in our encyclopedia description. It also attempts to steal stored passwords from some of the major web browsers. 

PWS:Win32/Fareit first came to our attention in large numbers in October, when we noticed it being installed by Win32/FakeScanti and Win32/Cycbot.

Win32/FakeScanti is a rogue security program that was added to MSRT in October 2009 and has recently gone by names such as Cloud AV 2012, AV Guard Online, Security Guard 2012, and Opencloud Antivirus.

Cloud AV 2012

Win32/Cycbot is a backdoor and browser hijacker, and was added to MSRT in February 2011. At various stages we have seen Win32/Cycbot and Win32/FakeScanti also downloading or installing one another, so this month’s addition of Win32/Fareit helps complete the cleaning of this multi-family infection.

Win32/Cycbot remains highly prevalent, and Backdoor:Win32/Cycbot.G was the number-one threat removed by MSRT last month. Win32/FakeScanti activity has decreased, though we continue to monitor it closely; however, we have received no new undetected samples of it so far this year. Unfortunately, this isn’t a sign that the rogue distributors have given up on their nefarious activities; most likely they have simply moved on to distributing different rogue families. 

If your system has been infected with Win32/Fareit, or related families like Win32/Cycbot, and you have any account details saved in your FTP client, after cleaning your local system, we recommend that you immediately change your password for each account. Check the related servers for new or suspicious files that you did not upload, change passwords for any accounts whose details you may have saved in your browser, and check those accounts for any unexpected activity.

The password-stealing component may only need to be run once in order to steal your credentials, so, by the time MSRT has performed its monthly scan, the damage may have already been done. This emphasizes the importance of running an antivirus solution that provides real-time protection.

David Wood
MMPC Melbourne